IRS hackers hit 334,000 accounts, almost 3 times worse than first reported

Hackers who breached the networks of the Internal Revenue Service may have stolen data from as many as 334,000 taxpayer accounts, the agency announced on Monday – nearly three times more than originally believed.

When the hack was first reported by the IRS in May, the agency said that hackers were able to gain access to taxpayer information from roughly 114,000 accounts via the “Get Transcript” service. On Monday, the IRS said a new analysis of 23 million service requests revealed the number is actually far higher.

“The new review identified an estimated additional 220,000 attempts where individuals with taxpayer-specific sensitive data cleared the Get Transcript verification process,” the IRS said in a statement. “The review also identified an additional 170,000 suspected attempts that failed to clear the authentication processes.”

Additionally, the IRS stated that hackers tried to gain access to an additional 170,000 taxpayer accounts but were unsuccessful. That, in addition to the 111,000 failed attempts announced in May, brings the total number of unsuccessful attempts up to 281,000.

In order to access taxpayer information, hackers would have had to clear Get Transcript’s multi-step authentication process by inputting personal information such as Social Security numbers, home addresses and dates of birth, NBC News reported. It’s not clear why the data was taken or who was behind the attack, but the IRS said it believes some of this data could be used to file fraudulent tax returns for the 2016 filing season.

As a result, the IRS will start mailing out notice letters to the newly affected households. “Anyone receiving a letter should take steps to protect themselves by taking advantage of the free credit monitoring and IP PIN which can be used to verify the authenticity of next year’s tax return,” the agency said.

The original breach took place for several months, between February and May 2015. The Get Transcript program was shut down following the revelation of the cyberattack. One cybersecurity professional said the hack shows that authentication systems could be problematic, since it’s hard to tell when a hacker is requesting data that requires the input of personal information.

"Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach’s damage months later,” Jeff Hill of the STEALTHbits Technologies cybersecurity company told USA Today. “Even now, how confident is the IRS they fully understand the extent of the attack completely, or should we expect yet another shoe to drop in the coming weeks?”

The IRS’ Monday announcement comes a little more than a month after it was revealed that a hack at Office of Personnel Management put the data of more than 21 million people at risk. In July, agency, which handles background checks for government employees, said hackers were able to steal sensitive information such as Social Security numbers, fingerprints, usernames and passwords, among other data.